Feeds

Don't expect privacy law overhaul in the wake of HMRC

Politicos just blowing smoke

The essential guide to IT transformation

Opinion Data protection, privacy and information law have never been so high profile as in recent months. Following the loss of 25 million people's personal details by HM Revenue and Customs (HMRC), there has been what seems like a tide of gaffe after slip-up, all resulting in private personal details spilling out into the public domain.

For once data protection received some public empathy. No longer was it blamed, as it once was by British Gas, for the death of elderly people; now it could be the champion of our ever-harder battles to keep our privacy intact.

The result was a flurry of announcements by Government seeming to boost data protection. Read at face value it seemed as though Prime Minister Gordon Brown was overhauling the data protection landscape. As we will see, though, his plans amounted to less radical change than appearances suggested.

The government announced a review by PricewaterhouseCoopers of HMRC and the specific problem that arose there. It also announced a security review by Cabinet Secretary Gus O'Donnell across the whole of Government.

Also announced was a boost to the powers of the Information Commissioner's Office (ICO) to carry out information policy audits on government departments whether or not it had their permission.

These announcements followed news from before the HMRC leak that the government would issue guidance to journalists on new criminal offences under the Data Protection Act (DPA) and a review of the use of information in the public and private sectors.

This looks like a reforming programme at first, but the detail tells another story.

The consultation document issued by the ICO in its review focuses on data-sharing. The limited scope of the project suggests that it is unlikely to lead to changes in the law. No doubt it will result in recommendations on practice or interpretation, but no major change seems likely.

There is pressure, though, for the review to go further in the aftermath of the HMRC disaster and others that have followed, such as the recent loss of army laptops containing thousands of individuals' information.

O'Donnell's security review does not appear to be a detailed assessment, let alone a root and branch review. It appears to have been conducted by means of a general request to all departments asking them to provide a return stating that they have proper contracts in place, adequate security measures and so on. This is not being conducted by the ICO, and what the output will be in terms of published materials or report we do not yet know.

As for the audit powers granted the ICO, these stretch only to government departments, leaving companies out of the forced-audit loop. Commissioner Richard Thomas has long said that he wants to be able to conduct audits on any organisation at any time, but that power still eludes him.

Are there any other potential changes going on, then? The two which seem most threatening to data controllers are the prospect of breach notification and the proposal for a new offence of gross security negligence. Both would penalise those who fail to offer proper protection for data.

There have been calls for a data breach notification law that would force organisations to tell people when it had compromised their data security. Such laws are in place in 34 US states and in New York City, and the House of Lords Committee on Internet Security recommended the creation of such a law in the UK.

The European Union has also made a formal proposal for such a law in its review of telecommunications regulation.

But the government has rejected the Lords' recommendation, and the EU proposal only applies to telecoms companies, not to ordinary data controllers.

Richard Thomas has called for a new offence to penalise those who are grossly negligent with our data. This is not currently a government proposal. It is recognised that such an offence would be very hard to draft so as to catch the mischief at the right level. While it might sound an attractive prospect it would be a very slow burn.

So while data protection stays in the headlines the political world can point to a range of measures being looked at. On closer inspection, though, they are more limited in scope and restrictive in recommendation than they might first appear.

So far, then, their effect is likely to be muted, and few changes in the law can be expected any time soon.

This is the first in a series of articles appearing on OUT-LAW this week to celebrate Data Protection Day 2008.

By Rosemary Jay, Head of the Information Law team at Pinsent Masons, the law firm behind OUT-LAW.COM. Find out how to win a copy of Rosemary's book, Data Protection Law and Practice.

Copyright © 2008, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

5 things you didn’t know about cloud backup

More from The Register

next story
Hello, police, El Reg here. Are we a bunch of terrorists now?
Do Brits risk arrest for watching beheading video nasty? We asked the fuzz
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
Felony charges? Harsh! Alleged Anon hackers plead guilty to misdemeanours
US judge questions harsh sentence sought by prosecutors
This'll end well: US govt says car-to-car jibber-jabber will SAVE lives
Department of Transportation starts cogs turning for another wireless comms standard
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?